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(54) Method and apparatus providing for internet protocol address autlientication 



(57) A method and apparatus for storage of user 
identifier / IP address pairs in a network. The network 
includes a DHCP server for assigning IP addresses to 
computer and other devices in the network, a device 
(such as a computer) coupled to receive an IP address 



from the DHCP server, an authentication server coupled 
with the device for receiving user identifier / IP address 
pairs from the device and authenticating the user, and 
a directory server coupled to receive authenticated user 
identifier / IF address pairs from the authentication serv- 
er. 
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Description 

BACKGROUND OF THE INVENTION 

[0001] An IP address (also called an IP number) is a 
number (typically written as four numbers separated by 
periods, i.e. 107.4.1.3 or 84.2,1.111) which uniquely 
identifies a computer that is making use of the Internet. 
It is analogous to your telephone number in that the tel- 
ephone network directs calls to your telephone using 
your telephone number The IP address Is used by the 
Internet to direct data to your computer, e.g. the data 
your web browser retrieves and displays when you surf 
the net. 

[0002] It is important that each computer accessing 
the internet (or an intranet) has a unique IP address. 
One method of doing this is for a network administrator 
to individually assign an IP address to each computer 
that will make use of the network. This Is a relatively 
cumbersome task especially in networks supporting a 
large number of computers. The task is complicated by 
the fact that if computers move to another location in 
another part of the network, a new IP address must be 
entered. 

[0003] Dynamic Host Configuration Protocol (DHCP) 
is a protocol that lets network administrators manage 
centrally and automate the assignment of IP addresses 
in an organization's network. DHCP essentially lets a 
network administrator supen/lse and distribute IP ad- 
dresses from a central point and automatically sends a 
new IP address when a computer is plugged into a dif- 
ferent place in the network. The DHCP server grants the 
computer a period of time to use the IP address. This 
period of time is called the DHCP lease period, (it should 
be noted that this application has referred to computers 
but any number of other devices could be connected to 
a network and be assigned IP addresses-such devices 
might be referred to genertcally simply as devices and, 
when receiving an IP address from a DHCP sender, as 
DHCP clients.) 

[0004] Of course, from the standpoint of network man- 
agement, this eases the burden on the network admin- 
istrator significantly. Unfortunately, there is no longer a 
one-to-one association between particular computers 
and IP addresses. 

[0005] DHCP does provide an authentication mecha- 
nism essentially by denying a user an IP address until 
the user has been authenticated. Thus, only users au- 
thorized to receive an IP address from the particular DH- 
CP server will receive one. In essence, the user Is au- 
thenticated. However, no mechanism Is provided to ap- 
plications to look up user identifiers based on known IP 
addresses or to look up IP addresses based on known 
user identifiers. 

[0006] With the advent of certain technologies, such 
as Vobe over IP and polk:y enabled networking, It would 
be useful to provide a trusted association between IP 
addresses and particular computers (and. even partic- 



ular users). In these applications, routing and bandwidth 
considerations are based on source and destination ad- 
dresses. These decisions require authenticated ad- 
dresses; therefore, DHCP authentication of users is not 
s an effective way to decide which users will get access 
to network services. 

[0007] Thus, what is desired is an improved method 
and apparatus for authenticating computers/user and I P 
address pairs. 

[0008] Directories of network users exist. For exam- 
ple, email systems typically include their own directo- 
ries. The CCITT has adopted X.500 as a standard for 
directories on networks using TCP/IP networks. X.500 
has been criticized as being too large. More recently, 
the Lightweight Directory Access Protocol (LDAP) has 
been proposed. The original specifications for LDAP 
were set forth in RFC 1 487. More recently, LDAPv2 was 
defined in RFC 1777 and even more recently LDAPv3 
has been defined in RFC 1487. 
[0009] These directories include much information 
about network users. RFC 2256 provides a list of at- 
tributes to be stored In a standard LDAPv3 database. 
The LDAPv3 database schema includes, for example, 
business names, post office addresses, telephone infor- 
mation, etc. However, the included information is rela- 
tively static information, 

[001 0] What Is needed is to include dynamic informa- 
tion in a LDAP directory Including, by way of example, 
IP address information. 

Summary of the invention 

[0011] According to a first aspect of the invention 
there Is provided a method and apparatus for authenti- 
cating user/internet protocol (IP) address pairs compris- 
ing binding a user Identifier with an assigned Intemet 
protocol address. The bound user/IP address is stored 
for retrieval by applications desiring to authenticate us- 
ers based on their IP address. 
[0012] According to a fourth aspect of the invention 
there is provided a method comprising : providing an in- 
ternet protocol (IP) address to a computer; establishing 
a connection between the computer and a server; re- 
ceiving by the server the IP address and a correspond- 
ing user Identifier and to be used by a user of the com- 
puter; and storing the user identrfier/IP address pair in 
a data store. 

[0013] According to another aspect of the invention 
there is provided a server comprising: a first data store 
having stored therein an authenticated user Identifier/ 
internet protocol address pair; and a second data store 
having stored therein a program which when executed 
on a processor retrieves the authenticated user identi- 
fier/internet protocol address pair and transmits the pair 
to a requesting device. 

[0014] According to another aspect of the invention 
there is provided a network comprising a DHCP sender 
for assigning intemet protocol (IP) addresses to compu- 
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ter and other devices in the network, a device coupled 
to receive an IP address from the DHCP server, an au- 
thentication server coupled with the device for receiving 
user identifier/IP address pairs from the device and au- 
thenticating the user, and a directory server coupled to 
receive authenticated user identifier/IP address pairs 
from the authentication server. 
[0015] According to another aspect of the Inventbn 
there is provided a lightweight directory access protocol 
(LDAP) server comprising: a first data store having 
stored therein a user identifier/internet protocol address 
pair; and a second data store having stored therein a 
program which when executed on processor retrieves 
the user identrfler/intemet protocol address pair and 
transmits the pair to a requesting device. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[001 6] Figure 1 is an overall diagram Illustrating a net- 
work as may implement an embodiment of the de- 
scribed invention. 

[0017] Figure 2 is a overall flow diagram Illustrating a 
method of an embodiment of the present invention. 
[0018] Figure 3 is a high level block diagram of a 
Lightweight Directory Access Protocol server as may be 
utilized in embodiments of the present invention. 
[0019] For ease of reference, It might be pointed out 
that reference numerals in all of the accompanying 
drawings typically are in the form "drawing number" fol- 
lowed by two digits, xx; for example, reference numerals 
on Figure 1 may be numbered Ixx; on Figure 3, refer- 
ence numerals may be numbered 3xx. in certain cases, 
a reference numeral may be Introduced on one drawing 
and the same reference numeral may be utilized on oth- 
er drawings to refer to the same Item. 

DETAILED DESCRIPTION OF 

THE EMBODIMENTS OF THE PRESENT INVENTION 

[0020] Turning first to Figure 1 , an overall diagram il- 
lustrating a network as may implement an embodiment 
of the present invention is provided. It will be worthwhile 
to describe Figure 1 in conjunction with Figure 2 which 
illustrates a method of an embodiment of the Invention. 
In Figure 1, a user's computer 102 is illustrated. The 
user's computer 102 initiates a DHCP request to DHCP 
server 101 to obtain an IP address. The DHCP server 
101 assigns an IP address to the user's computer 102, 
block 201. This processing follows standard DHCP 
processing and will be not be described in greater detail 
except to note that this processing may be carried out 
using authenticated DHCP processing as was men- 
tioned above In the background section. It should also 
be noted that, in the described embodiment, the user 
receives an IP address via DHCP. However, in alternate 
embodiments, the IP address may be received by alter- 
native means (such as by being directly assigned by a 



network administrator) without departure from the spirit 
and scope of the present Invention. What is important is 
that there exists a user/IP address pair to be stored. 
[0021] it should be noted that, particularly when as- 
5 signed by a DHCP sewer, the IP address Is relatively 
dynamic. The present invention may have application 
with respect to storage of other dynamic information and 
binding the dynamic information with a user identifier by 
storing in the information in a LDAP or other database. 
[0022] It should also be noted that the various con- 
nections illustrated on Figure 1, including for example 
the connection between the user's computer 102 and 
the DHCP sewer 101, may be direct connections as Il- 
lustrated. More commonly, these connections will be 
made through a network such as the Internet using TCP/ 
IP as the transport protocol. 

[0023] The user then logs Into an authentication serv- 
er 104, block 202. This bg-ln process may utilize some 
simple identification of the user (such as by the user sim- 
ply provWing a log-in user Identifier) or may use any level 
of more sophisticated security ranging from simple 
password security to use of secure encryption for the 
session. 

[0024] In one embodiment, the user logs into the au- 
thentication server 104 using a web page which allows 
the user to provide both a user identifier ("user id") and 
a password. Messages sent to the authentication sever 
104 will include the user identifier, password and the IP 
address assigned to the user's computer 102. In an al- 
ternative embodiment, the user may store on the com- 
puter 1 02 both a user identifier and password. The com- 
puter 102 may be programmed to automatically provide 
the stored user identifier, password and IP address to 
the authentlcatbn server 104. This programming may 
be accomplished, for example, by downloading a 
JAVA™ Applet. Of course, storing the user's password 
directly on the computer 102 provides security Implica- 
tions. Therefore, in alternative embodiments, the user 
may provide this information at initial log-in to the com- 
puter 102 (as is common in many computer environ- 
ments) rather than storing it permanently on the compu- 
ter 102. 

[0025] The authentication sen/er 104 authenticates 
the user as an authorized user, block 203. This process 
may include retrieving the user's public key from a public 
key database 1 05 if the session is an encrypted session. 
[0026] After the user is authenticated, block 203, the 
authentication server 104 notifies a Lightweight Direc- 
tory Access Protocol (LDAP) server 106, block 204. The 
LDAP sender 106 stores the user identifier/IP address 
pair, block 205. The session between the authentication 
server 104 and the LDAP server 106 may be authenti- 
cated in order to provide for security of this transaction. 
Alternatively, both processes may execute on the same 
hardware platform in certain embodiments. 
[0027] The information in the LDAP server may then 
be used by various appiicatbns executing on computers 
109 which require authenticated user id/IP address in- 



75 



20 



25 



30 



35 



40 



45 



SO 



3 



5 



EP1 039 724 A2 



6 



formation. 

[0028] As will be appreciated, the authentication of 
the user id and IP address pair known to be valid only 
at the instant of authentication. In certain embodiments, 
It may be useful to provide for a time out or other mech- 
anism which requires the user to re-authenticate after 
some event (such as the expiration of a period of time). 
[0029] Turning briefly to Figure 3, a high level block 
diagram illustrating components of the LDAP server 106 
is shown. The LDAP server 106 comprises a database 
of authenticated user id/IP address pairs 304. These 
pairs have, in the described embodiment, been received 
from the authentication server 104 using a communica- 
tion program 302 executed on processor 306 for receiv- 
ing the user id/IP address pairs. Applications executing 
on requesting devices 109 may request access to the 
user id/IP address pairs 304 by using communication 
program 301 . 

[0030] Certain implementations may not require se- 
curity. In such implementations, aspects of the present 
Invention may be Implemented without requirement for 
use of the authentication techniques discussed above. 
Therefore, the present application may refer to the au- 
thentication server 104 simply as a binding server. The 
binding sender and LDAP server (or other database) 
may be referred to collectively as a "binding system" 
which serves to associate a user identifier with dynamic 
Information about the user (such as an IP address) and 
store the information In a data store. 
[0031] Thus, what has been disclosed is a method 
and apparatus for authenticating users/internet protocol 
(IP) address pairs. 



Claims 

1. A method comprising: 

providing an Internet protocol (IP) address to a 
computer; 

establishing a connection between the compu- 
ter and a server; 

receiving by the server the IP address and a 
corresponding user identifier and to be used by 
a user of the computer; and 
storing the user identifier/IP address pair in a 
data store. 

2. The method as recited by claim 1 , wherein the es- 
tablishing of the connectkxi includes 

authenticating the user; and 
establishing a secure connection between the 
computer and the server If the user is authen- 
ticated. 

3. The method as recited by claim 1 , wherein the as- 
signing of the internet protocol address includes 



initiating a request by the computer to a dynam- 
ic host configuration protocol (DHCP) server; 
and 

assigning the IP address by the DHCP server; 
s and 

sending the IP address to the computer. 

4. The method as recited by claim 1 , wherein the data 
store includes a database of a Lightweight Directory 

10 Access Protocol server. 

5. A server comprising: 

a first data store having stored therein an au- 
15 thenticated user identifier / internet protocol ad- 

dress pair; and 

a second data store having stored therein a pro- 
gram which when executed on a processor re- 
trieves the authenticated user identifier / inter- 
20 net protocol address pair and transmits the pair 

to a requesting device. 

6. The server as recited by claim 5, further comprising: 

a third data store having stored therein a pro- 
2S gram which when executed on a processor stores 

authenticated user identifier / internet protocol ad- 
dress pairs received from an authentication server. 



7. A method comprising: 

30 

a first device communicating with a dynamic 
host configuration protocol (DHCP) server to 
have an internet protocol (IP) address assigned 
to the first device; 
35 the first device communicating with an authen- 

tication server a user kJentifier and the IP ad- 
dress; 

the authentication server authentbating the us- 
er; 

40 the authentication server communicating to a 

lightweight directory access protocol (LDAP) 
server the user identifier / IP address pair; and 
the LDAP server storing the user identifier / IP 
address pair. 



45 



8. A network comprising: 



a dynamic host configuration protocol (DHCP) 
sender; 

so a computer coupled in communication with the 

DHCP server over the network to receive an In- 
ternet protocol (IP) address; 
an authentication server coupled in communi- 
cation over the network with the computer, the 

55 authentication server to authenticate a user us- 

ing the computer based on a user identifier 
communicated from the computer; and 
a directory sender coupled in communication 
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with the authentication server, the directory 
server to receive and store both the authenti- 
cated user identifier and its corresponding IP 
address from the authentication server. 

5 

9. The network as recited by claim B, wherein the di- 
rectory server is a lightweight directory access pro- 
tocol (LDAP) server, 

10. The network as recited by claim 8 further comprls- io 

ing requesting devices coupled in communication 
with the directory server for requesting authenticat- 
ed user identifier / IP address pairs. 

11. A network comprising a DHCP server for assigning is 
internet protocol (IP) addresses to computer and 
other devices in the network, a device coupled to 
receive an IP address from the DHCP server, an 
authentication server coupled with the device for re- 
ceiving user Identifier / IP address pairs from the 20 
device and authenticating the user, and a directory 
server coupled to receive authenticated user iden- 
tifier / 1 P address pairs from the authentication serv- 
er. 

25 

12. A lightweight directory access protocol (LDAP) 
server comprising: 

a first data store having stored therein an user 
identifier / internet protocol address pair; and 30 

a second data store having stored therein a pro- 
gram which when executed on processor re- 
trieves the user identifier / internet protocol ad- 
dress pair and transmits the pair to a requesting 
device. 35 

13. A lightweight directory access protocol (LDAP) 
server comprising: 

a first data store having stored therein an user ^ 
identifier and dynamic information related to 
the user identifier; and 

a second data store having stored therein a pro- 
gram which when executed on processor re- 
trieves the user Identifier and dynamic informa- ^ 
tion and transmits the information to a request- 
ing device. 

14. The LDAP server as recited by claim 13, further 
comprising a third data store having stored therein ^0 
a program which when executed on a processor 
stores dynamk; information related to a user Identi- 
fier in the first data store. 

15. The LDAP server as recited by claim 14, wherein S5 
the dynamic Information Is an Internet protocol ad- 
dress. 
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